Forum Discussion

Dean_Miller_908's avatar
Dean_Miller_908
Icon for Nimbostratus rankNimbostratus
Jan 23, 2009

How does Firepass determine the FQDN of connecting machine?

Hi!

 

 

We have our firepass working with a pre-logon endpoint inspection of a machine certificate (does the standard check of CN equal to FQDN). However, my CISO is asking how the Firepass determines the FQDN. It does not seem to be Reverse-DNS because I connected to the Firepass through another VPN which does not provide a reverse-DNS lookup. Can anyone tell me how, in fact, the Firepass determines the FQDN of the connecting machine? He is looking at it to determine whether it meets our security policies.

 

 

Thanks.

 

 

dean
APM
remote access
security

3 Replies

Sort By
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Feb 02, 2009
    As far as I can tell it is not DNS but rather it looks at the host name and default domain of the machine.

     

     

    E.g. on Windows XP open a command prompt and run ipconfig /all and then mash "Host Name" and "Primary Dns Suffix" together.

     

     

    I have some machines with no default domain so the CN of their machine certificate is "computername." and that works fine.
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Feb 06, 2009
    But now I see it's more than I suggested in my previous post. I too would like to know how exactly the machine certificate checker identifies the client FQDN.
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Feb 17, 2009
    FYI I opened a support case and learned the following:

     

     

    If the computer is joined to a domain then the FQDN is computer name . domain. It will match exactly what you see in the "Full computer name" field of the "Computer Name" tab of the system properties control panel. It is case sensitive, too.

     

     

    If the computer is not joined to a domain then the certificate CN only needs to contain the computer name (case sensitive). If the computer has any connection-specific DNS suffixes one of those can be present in the cert but it is not required.